Resources

Opportunity to Improve

By: Craig Schurr (CISA, CISSP, CCNP, MCTS)

Publication: The Kansas Banker
, June 2014

2014-06-01T20:45:00.0000000

The previous “year of the security breach” is behind us, and now we find ourselves treading water through a year that so far has been defined by significant vulnerabilities and exposures. How do we proactively protect against these newly discovered threats? Luckily, or unluckily depending on how you want to look at it, due to the nature and severity of some of the recent security breaches we have been given plenty of data to analyze. With each new story, I caught myself repeating some variation of “Why did they allow…? That goes against everything you learn in security 101!” Let’s just call this our “opportunity to improve.”

A successful data breach consists of gaining access, discovering where the data is located, collecting the data and then exporting the data. A data breach requires all four phases to be completed successfully. Meaning, we have several opportunities to thwart an attempted data breach. Let’s break it down per phase.

Gaining access is achieved by several methods including, but not limited to: email attachments or websites that contain malicious software, exploitation of unpatched vulnerabilities, social engineering, or a disgruntled employee. Information security risk assessments and programs tend to focus on preventing an attacker from successfully accessing the network, and for good reason. If the intent of an attack is just to cause damage, this is the only phase that needs to be completed. As a whole, the financial industry does a good job at implementing security controls to prevent this phase from being successful, but there is always room for improvement.

Once an attacker has gained access to the network, their next step is to discover confidential data. The attacker can use automated tools to plot the network and look for file shares with sensitive data. Implementing security controls that follow the principle of least privilege can greatly reduce the amount of data that can be collected. Systems and users should only be granted the appropriate level of access to the specific resources necessary to complete their jobs. Now, for a breach to be successful or malicious software to cause substantial damage, an attacker not only has to compromise and gain access to an internal system, they have to gain access to an internal system that has access to the protected data. Proper network segregation and system access controls are crucial to mitigating today’s threats (e.g. CryptoLocker, ATM Unlimited Operations).

Note: With malicious software like CryptoLocker, it is important to lock down access to on-disk backups. New variations of this software search for network shares and encrypt any and all shares where it has write access. The only account that typically needs write access to these shares is the account used to perform the backups, and it should only be granted from the system performing the backups. Often, the only recovery option you have with these types of attacks is to restore from backup.

The next phase is data collection. Assuming an attacker has discovered and has access to the data, the best method of detecting data collection is network monitoring capable of detecting the anomalous behavior of the attacker. The compromised account may normally have access to the data; however, if data collection is outside of the normal behavior trend, it may make it easier to detect.

If an attacker has made it this far, the next step is exporting the data. Egress filtering on the bank’s firewall can go a long way to preventing a successful export. Egress filtering should be configured to limit access from internal networks to the Internet to only the specific ports and IP addresses required for business operations. Advanced attackers may try to bypass egress filtering by using encrypted tunnels over commonly allowed services like HTTPS. To mitigate this threat, all web traffic should be processed through a web filter that is capable of inspecting and/or inspecting SSL traffic. Also, most IDS/IPS systems are capable of blocking all traffic destined to known malicious IP addresses.

It is important to note that even if the discussed security controls are implemented, it is not guaranteed that all security breaches will be prevented. However, these basic steps make it considerably more difficult, and expensive, for an attacker to be successful. Ultimately, the goal in information security is to make attacks on your network a losing venture.